Cybersecurity: Learning from the Future

Cybersecurity demands the impossible: that we look into the future to see where hackers are heading and what tactics they are brewing up. Of course there is no such crystal ball, so instead we focus on strategies hackers have carried out in the past and try to make predictions about future moves.

But as generals are always accused of fighting the last war, there is a similar problem with cybersecurity – threats of the past, while edifying, will not necessarily be the threats of the future. So while learning from the past is valid, it is simply not sufficient for combatting future cyber threats.

What we have learned is that state-sponsored hackers, with their enormous experience, successes and unlimited resources, are often one step ahead, waiting silently inside of porous firewalls, integrated into strategic junctions where they can assess information, learning which data to target to achieve their goals. Political organizations’ data centers, politicians’ and business leaders’ personal or work accounts… all are fair game for hackers, and their targets will only expand in the future.

With ominous state-sponsored hackers like the Syrian Electronic Army – who have successfully attacked The Washington Post, CNN and other outlets – businesses and governments alike must be sufficiently prepared to prevent malicious attacks of any kind that may come their way.

A Silent Enemy

Zero-day, targeted hacking and other advanced methodologies employed by state-sponsored hackers present many difficulties for defenders. Hackers employ these approaches and then wait for the data they require, collect it and use it against the target for strategic (often political) purposes. Behaving like stealthy spies, hackers wait patiently for some relevant noise. While we can do our best to encrypt our data and close any attack vectors based on past experiences, we will always be one step behind the hackers unless we have a forward-thinking strategy.

Pro-active Defense

If there is suspicion that data has been compromised, we must immediately stop communicating valuable information via that channel. There are two general techniques that aim to uncover these silent, patient probes: “Indication of compromise patterns” (IOCs) and “indication of attacks” (IOA’s), which typically follow IOCs. There are patterns we can follow to determine whether our data is compromised, starting with predicting patterns of these IOCs and how these malwares communicate.

But it is not enough to be passive in our defense of state-sensitive information. Before using IOCs and IOAs, sensitive political targets that threat actors may pursue should be identified. These may not be what the actors have targeted in the past, but may be based on the current political climate. Strategists must first assess what targets could be beneficial to enemy states in the future and build a cybersecurity plan around this ever-changing political atmosphere. Once we have assessed the potential targets for attack, we can implement the required tools to identify IOCs and IOAs across all at-risk platforms.

Silent Discovery – a Future Advantage

Discovering an enemy’s presence without their knowledge creates a strong strategic advantage. Instead of smoking out the hackers and either publicly or privately exposing them, this knowledge can be used to turn the tables. We can then choose what the enemy receives – i.e. feed them with fake information per our own strategic goals. By continuing to trace the IOAs and the origin of the malware, we can maintain a symbiotic relationship with these hackers that gives a strategic advantage to the hacked, rather than the hackers.

Of course, it isn’t quite that simple. While the IOCs and IOAs may allow us to identify hackers’ individual events and act accordingly, correlating all these data points through more holistic analytic systems is the only way to reveal the bigger picture and understand the real intent of the campaign. States must work together to stay one step ahead of hackers who are constantly shifting and changing their malware to achieve their goals. Yes, we can study patterns from the past, but we still must assess political and strategic objectives to truly predict the future.

Avi Chesla is CEO and Founder of empow, a cyber security company that envisions a future where security experts have the freedom, and the technology, to create unique solutions to meet their organizations' security needs. Prior to empow, Avi was CTO and VP of Security Products at Radware, where he was responsible for defining and leading the company’s strategic technology roadmap and vision including the foundation and management of Radware’s Security Division, a provider of cyber attack mitigation solutions. Mr. Chesla has authored a number of articles for major publications on advanced network behavioral analysis, expert systems and information security and has earned numerous patents in these areas. His views on industry trends and best practices have been featured in articles, white papers, and on the conference speaking circuit.